How it works...

NTFS alternate data streams are, as the name implies, alternative streams where data can be stored. Since this lends itself to malware deployment similar to what you tried in the recipe, these streams are used more often than you might think.

The zone identifier is the easiest and most readily available example since it's usually written when you download a file by traditional means in your browser. The individual streams for your reference are as follows: